ProtectionLegislation and legal definition
What legislation governs the protection of trade secrets in your jurisdiction? How is a ‘trade secret’ legally defined?
The term ‘trade secret’ describes a wide range of information that extends beyond technological knowledge regarding commercial data such as information on customers, suppliers, business plans, market research, strategies and new products, provided that such information is undisclosed and intended to remain confidential. Businesses across all sectors use confidentiality as both a business competitiveness and innovation management tool and value trade secrets as much as other means of protecting their innovation-related activities, such as patents, design rights, copyrights or other types of intellectual property. Small and medium-sized enterprises (SMEs) rely heavily on trade secrets in particular.
With the rapidly increasing digitalisation of the entire economy as well as the widespread availability of technologies such as artificial intelligence, trade secrets have become increasingly more relevant for businesses as a compliment or an alternative to intellectual property rights to protect valuable know-how and business information – often referred to as the ‘currency’ of today’s knowledge and data economy. Increased digitalisation, connectivity and globalisation has also resulted in an increase of exposure of businesses to trade secret misappropriation in the form of ‘cyber theft’, data breaches and industrial espionage.
However, before the Trade Secrets Directive, legal protection against the unauthorised acquisition, use and disclosure of trade secrets in the European Union was, compared to the recourse available against the infringement of intellectual property rights, underdeveloped and inconsistent across EU member states. This combination of a comparatively low level of protection and the lack of a uniform framework for trade secrets negatively affected European businesses’ ability to innovate, and on the whole, to properly function in the internal market.
The above-mentioned considerations were the backdrop against the adoption of Directive 2016/943/EU (Trade Secrets Directive) on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. The Trade Secrets Directive had to be implemented into national law by all EU member states by 9 June 2018. The Trade Secrets Directive established a homogenous set of minimum standards of protection across the European Union; namely, EU member states may provide for more far-reaching protection, provided that compliance with certain mandatory exemptions and safeguards set out in the Trade Secrets Directive (eg, exemptions in respect of freedom of expression and whistle-blowing or the maximum limitation period of six years) is ensured. This means that EU member states have a certain amount of flexibility when implementing the Directive into their respective national laws.
The Trade Secrets Directive deals only with civil remedies against the unlawful acquisition, use and disclosure of trade secrets. EU member states’ laws and regulations on criminal sanctions or the use of trade secrets in administrative, public procurement or other national proceedings before governmental or other public authorities are out of scope and remain unaffected. Unfair competition laws, based on Directive 2005/29/EC (Unfair Commercial Practices Directive) on unfair business-to-consumer commercial practices in the internal market, also remain unaffected and may apply, depending on the circumstances, in addition to the Trade Secrets Directive.
At the heart of the Trade Secrets Directive, a uniform definition of what constitutes a ‘trade secret’ is introduced, building on the definition included in article 39 of the World Trade Organization Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) of 15 of April 1994 (amended on 23 January 2017), by which both the European Union and all of its member states are bound. According to article 2 of the Trade Secrets Directive, ‘trade secret’ means information that:
- is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;
- has commercial value because it is secret; and
- has been subject to reasonable steps under the circumstances by the person lawfully in control of the information to keep it secret.
According to the recitals, the definition should be construed to cover know-how, business and technological information where there is both a legitimate interest in keeping them confidential and an expectation that such confidentiality will be preserved. It intends to exclude trivial information as well as experience and skills gained by employees in the normal course of their employment.
The definition is not only similar to the definition found in article 39 of the TRIPS Agreement but also to the definition contained in the US federal Defend Trade Secrets Act of 2016.Ownership
How is ownership of a trade secret established?
The Trade Secrets Directive is silent on how ownership of a trade secret is established, but it defines the ‘trade secret holder’ as any natural or legal person lawfully controlling a trade secret. This would include, for instance, the person who created the trade secret, its employer or a person who acquired the trade secret from the original holder by way of transfer or licence.
Notably, and contrary to other forms of intellectual property protection, the Trade Secrets Directive does not grant an exclusive right to the trade secret holder but merely offers protection against the unlawful acquisition, use and disclosure – not limiting third parties’ rights to obtain access to the same information, for example, by way of independent research or reverse engineering (to the extent lawful under applicable national law).Secrecy
What criteria are used to establish the state of secrecy of a trade secret before misappropriation or disclosure?
The Trade Secrets Directive does not provide for specific criteria. The trade secret holder will have to demonstrate that:
- the information in question was not generally known among, or is not readily accessible to, persons within the circles that normally deal with such information; and
- the information has been subject to reasonable steps under the circumstances to keep it secret.
Guidance on the practical application of both criteria will have to be developed by national courts and ultimately the Court of Justice of the European Union (CJEU).Commercial value
How is the commercial value of a trade secret established?
According to the recitals, this requirement would be met regardless of whether the commercial value is actual or potential. For example, a trade secret should be considered to have commercial value, where its unlawful acquisition, use or disclosure is likely to harm the interests of the person lawfully controlling it (in that it undermines that person’s scientific and technical potential, business or financial interests, strategic positions or ability to compete).
Essentially, this would also capture information relating to unlawful or dishonest commercial practices (eg, information about past non-compliance with certain legal requirements). While such information may pass the above tests to qualify as having commercial value deriving from its secrecy (given that unauthorised disclosure would undoubtedly hurt the holder), it would be questionable to grant trade secret protection in such a case. The person disclosing such information may justify disclosure not only based on the Trade Secrets Directive’s safeguards on proportionality and abuse of process, but also on the exception for the purpose of revealing misconduct, wrongdoing or illegal activity, provided that such person acted for the purpose of protecting the general public interest (article 5(b)).Protective measures
What criteria are used to determine whether the rights holder has adopted reasonable protective measures to prevent disclosure and misappropriation of trade secrets?
The Trade Secrets Directive does not provide any specific guidance on that, and it will be up to either the national courts or ultimately the CJEU to develop a set of criteria to ascertain the demanded standard to meet the ‘reasonable steps’ requirement set out in article 2. Looking at available case law in both EU member states and literature, there does seem to be some consensus that such a determination must be made holistically while taking all relevant circumstances into consideration, including for example, the size and sophistication of the business controlling the trade secret as well as the relevance and nature of it. In general, it could be expected that the courts do not apply an overly strict standard requiring that the trade secret be kept secret successfully but would rather look at whether, on the whole, the holder has applied organisational, technical and legal measures that can reasonably, under the circumstances, be expected.Best practices
What best practices and internal policies should rights holders consider to ensure maximum protection of their trade secrets?
A comprehensive and adequate system to protect the secrecy of business information and know-how is key for two reasons:
- article 2 of the Trade Secrets Directive requires that the holder prove that under the circumstances, reasonable steps have been taken to keep the information in question secret; otherwise, such information will not even be considered a ‘trade secret’, and thus legal protection will not be available; and
- due to their nature and in the absence of any exclusive right awarded by law, trade secrets are only valuable as long as they are not widely available.
Even though the holder may have legal recourse under the Directive in the case of misappropriation, in practice, it is actually often difficult to remediate trade secret theft; therefore, establishing a sophisticated system to protect unregistered know-how and confidential business information is also a compliance and board-level issue (similar as under Regulation (EU) No. 2016/679 (General Data Protection Regulation) (GDPR) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data). Because of this, businesses are well advised to carefully implement a tailored protective approach to update their systems regularly and document all measures for evidentiary purposes. In case an actual breach of these protective measures is identified, the potential gap in security should be closed without delay and the necessary steps should be taken to prevent further unauthorised access to confidential information.
While the Trade Secrets Directive does not offer direct guidance on best practice for protective measures, it is widely accepted that a solid protective concept requires a holistic approach and should be based on the following three measures.
- Identify the trade secrets and categorise them under their commercial relevance so that measures, such as access restrictions and information barriers, can be applied meaningfully;
- develop internal procedures and a policy on how to handle sensitive information while keeping such policy updated in line with operational and legal developments;
- make sure that the staff – where the primary risk for trade secret theft lies – is on board: inform employees adequately, offer training on how to deal with trade secrets and document employees’ consent with the internal policies;
- take great care of incoming and departing employees:
- according to article 4(4) of the Trade Secrets Directive, the use of a trade secret may be considered unlawful whenever the person using it knew or ought to have known, under the circumstances, that the trade secret had been obtained directly or indirectly from another person who was using or disclosing the trade secret unlawfully. In other words, whenever new employees bring know-how with them, it should be carefully checked against this secondary liability risk; and
- departing employees are typically a high-risk factor, especially if the circumstances for the termination of their employment were not amicable. A variety of court cases show that such employees may be incentivised to collect certain trade secrets with the intent of using them for competitive purposes with either a future employer or for their own competing activities. Businesses are well advised to not only remind departing employees of their obligations with regard to trade secrets but also to monitor their activities during their remaining time of employment (to the extent legally permissible); and
- implement access restrictions based on a need-to-know basis. This will reduce the practical risk of unauthorised disclosure and make it easier to track the flow of information within the company. This may also include the segregation of R&D and sales units (black-boxing) and ring-fencing measures (information barriers) around important projects.
- The organisational measures, such as a trade secret policy and access restrictions, must be implemented on an IT level – the information and document management system must be designed accordingly;
- the use of firewalls and encryption technologies is key, in particular for mobile devices, bring-your-own-device and home-office equipment;
- working-from-home policies should be checked against and aligned with the company’s trade secret policy (eg, how to handle print-outs, virtual meetings, phone calls, etc), especially in light of the developments caused by the covid-19 pandemic;
- monitoring and tracking the access, use and flow of sensitive information within and outside the company (ie, the exchange with customers, suppliers and other external partners) is key for identifying and proving cases of possible trade secret theft as well as being able to document that ‘reasonable’ protective measures within the meaning of the Trade Secrets Directive have been put in place; and
- most businesses will have internal technological measures in place regarding how to handle personal data under the GDPR. These procedures can often be used as a basis for how to handle trade secrets, but they are however different in scope and purpose; overlaps and potential conflicts should be assessed carefully.
Legal (contractual) measures
- Review existing partner, customer and supplier agreements with a focus on their confidentiality provisions, and, if required, revise such agreements;
- ensure that adequate non-disclosure agreements (NDAs) are used in the course of business where required and that such NDAs sufficiently cover the information (eg, the potential intellectual property rights associated with it) that is to be exchanged. NDAs should also be managed in a way that ensures that the business can keep track of the legal framework in exchange for the sharing information with third parties (in respect to its own obligations regarding third-party information as well); and
- confidentiality clauses in employment contracts should be reviewed and strengthened if necessary; standard provisions often run the risk of being unenforceable under applicable law because they are too broad or unspecific. Provisions regarding intellectual property, trade secrets and non-compete clauses should also be aligned to ensure that they complement each other.
The above-mentioned measures must be precisely tailored to the needs of each individual business, and should be reviewed and updated regularly.